| Oracle® Communications IP Service Activator Security Guide Release 7.2 E35657-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications IP Service Activator Security Guide Release 7.2 E35657-01 |
|
|
PDF · Mobi · ePub |
This chapter presents planning information for the Oracle Communications IP Service Activator secure installation.
For information about installing and configuring IP Service Activator, see IP Service Activator Installation Guide and IP Service Activator System Administrator's Guide.
For more information about installing Oracle Communications Configuration Management, see Configuration Management Installation and System Administration Guide.
You must have at least one dedicated UNIX group and one dedicated user account within that group for IP Service Activator. You must run the Installer as a non-root user. Oracle recommends that the umask for this user be set to 077. An Oracle Database user must be created with no permissions granted to the public user. See IP Service Activator Installation Guide for the set of permissions.
Note:
If you are using the Configuration Template Module, set the additional permissions listed in IP Service Activator Installation Guide.If you are using the IP Service Activator Web service or Configuration Management, you must create a WebLogic domain. Oracle recommends that you always run in production mode with Oracle WebLogic server. If you are running multiple applications, Oracle recommends that you deploy each application to its own managed server.
When the IP Service Activator Web service is deployed in a managed server that is separate from Oracle Communications Order and Service Management (OSM), a Java Messaging Service message-forwarding mechanism is required to enable JMS message delivery between applications. The Store and Forward (SAF) and IP Service Activator Web Service JMS modules are made secure by using a security policy. For more information, see Solution Uptake Guide for MPLS VPN with Ethernet Access.
You can install IP Service Activator using a custom installation or a typical installation. Oracle recommends that you do a custom installation to avoid installing components and options that you do not need. To limit your exposure in a production environment, Oracle recommends that you do not install unused options, components, or sample files.
Access to files that are created during installation is limited to the owner. IP Service Activator does not allow installation, and issues a warning, if the installation is attempted by a user that has root access.
The following are the default permissions set for the installed files:
rw-,r--,--- 640 (for all library files)
rwx,r-x,--- 750 (for all executable files)
dwx,rwx,--- 770 (for all directories files)
Default permissions are set to the lowest possible level. Oracle recommends keeping the permissions as restrictive as possible, as per your business needs.
Oracle recommends that the WebLogic Server installation user and the IP Service Activator application installation user share the same group and the same user ID.
IP Service Activator uses the umask of 039 for auto-generated files (for example, log files), which is explicitly set in all scripts.
Protect the WebLogic configuration (JMS, JDBC, and so on) file, config.xml, with the proper permissions. This file is located in the configuration directory of the domain.
The WebLogic Datasource passwords are encrypted using the Oracle-recommended 3AES algorithm and are stored in the WebLogic server configuration files.
Oracle recommends having strong password policies for IP Service Activator users and WebLogic Server and Oracle Database schema users. Oracle recommends the following:
A password length between 6 and 24 characters
A password containing at least one alpha, numeric, and special character. For example: WebLogic@123.
That the user name not be part of the password
Additional IP Service Activator policies that must be configured using the client:
The IP Service Activator user's password should expire every 28 days.
The IP Service Activator user's password cannot be the same as any of the previous six passwords.
The IP Service Activator user's account is disabled after six login failures.
After you create the WebLogic Server domain for IP Service Activator, start the Admin Server by running the following command:
startManagedServer.sh ManagedServer_1 t3s://Hostname:Port
where ManagedServer_1 is the name of the first managed server, and Hostname is the hostname of the admin server. For more information about configuring WebLogic, see the WebLogic documentation.
It is a security risk to leave the WebLogic server session running for long periods of time.
The default session timeout in Configuration Management is 60 minutes. The WebLogic Server administrator can change this value.
To change the WebLogic default session timeout:
Log in to WebLogic Administration Console.
In the Domain Structure section, click Deployments.
Click the application Configuration Management deployed as Enterprise Application.
The Configuration Management deployment settings appear.
Click the Configuration tab.
Set Session Timeout (in seconds) to the new timeout value.
Click Save.
If you have not already created a deployment plan, WebLogic creates one with the above changes and prompts you to save the deployment plan. Enter a name and path for the deployment plan and click OK.
In the Domain Structure section, click Deployments.
Click the application Configuration Management deployed as Enterprise Application.
Click Update.
Select Update this Application in Place with New Deployment Plan Changes.
Set Deployment Plan to the deployment plan created in step 6.
Browse to the file by clicking Change Path.
Click Next
Click Finish.
Restart the WebLogic server.
For more information, see ”Configuring Applications for Production Deployment” on the Oracle Technology Network Web site.
It is a security risk to leave the Configuration Management session running for long periods of time.
The default session timeout in Configuration Management to maintain a connection to IP Service Activator is 30 minutes. You can change this value.
To change the Configuration Management session timeout value:
Log in to the Configuration Management client.
Click the Configuration Management Server Tab.
Set User Interface Session Timeout (mins) to the new timeout value.
Click Commit.
IP Service Activator communicates over CORBA. To control access for CORBA connections, see "CORBA ORB Configuration for IP Service Activator" in IP Service Activator Installation Guide.
IP Service Activator comes with a predefined user account: admin. Oracle recommends that, immediately after you install IP Service Activator, you start the client and change the default password for the admin user. Oracle recommends that you create a new SuperUser and delete the admin user.
|
 Copyright © 2012, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
